On Wed, 15 Dec 1999, Henrik Nordstrom wrote:
> The approach I am leaning towards is some more generalized approach to
> authentication with (for NTLM) sticky authenticators on a per client
> connection basis. The idea is to find a authenticator module method
> suitable for all three commonly used authentication methods (Basic,
> Digest, NTLM). Squid should only concern itself with the minimal
> decoding required to find the username, and caching of authentication
> responses. The rest should be handed off to the authenticator (probably
> as-is). I have yet to study some of the details of Digest authentication
> to find out what requirements that makes on Squid, so this picture may
> be slightly revised..
If we were to use dlopen()/dlsym() and friends, it would be possible to
create an authentication module that could be (a) be run as a separate
process so as to authenticate asynchronously and (b) provide the needed
linkage for Squid to understand the particular authentication scheme.
The major downside to this is that if libdl was used, we'd instantly be
knocking a lot of older platforms out of the running. Ultrix comes to
mind.
> There is also need for a user-group concept. In some cases this can be
> joined with the authenticator, in other cases the need is separately on
> a per group basis. What I am leaning towards on this issue is to have
> two acl types:
>
> auth_group: Membership indicated by the authenticator process.
>
> group: Membership queried by a per group+username(or ident)+ip basis wia
> external helpers.
Nice idea. It would allow organisations to integrate Squid in much the
same way as MS-Proxy, controlling access from the NT side of things.
One thing common to both Unix and NT that this should be aware of is the
concept of a user being a member of a primary group + additional groups.
- ad
Received on Wed Dec 15 1999 - 03:05:02 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:19 MST